Finally, some headway in the battle for Internet security?

The latest report on Internet security from Symantec Corp. identified a couple of positive trends in the last half of 2004.

The number of known compromised computers in re- motely controlled'or 'bot''networks dropped sharply from more than 30,000 a day in late July to fewer than 5,000 a day by the end of the year.

Over the same period, the window that systems administrators have for patching vulnerabilities opened a little. The average length of time between the disclosure of a vulnerability and the release of an associated exploit increased from 5.8 days to 6.4 days.

Alfred Huger, Symantec's senior director of engineering for security response, said the shifts were significant. 'We feel as if education is starting to take hold,' he said of the drop in compromised computers. 'We're finding that ISPs and large backbones are starting to find these networks and shut them down.'

The Symantec Internet Security Threat Report analyzes security incidents observed on more than 20,000 devices deployed by the company's DeepSight Threat Management System and managed security services. The report comes out every six months.

The previous threat report had shown a sharp spike in zombie computers, which make up a bot network, from fewer than 2,000 a day to more than 30,000.

Hackers typically use bot networks as platforms for scanning other systems for vulnerabilities, for launching attacks and to send spam. The use of these compromised zombie computers can help hide the source of probes and attacks and can multiply the impact of an attack.

Software holes increase

The lengthening time between a vulnerability and its exploit is good news, but the total number of vulnerabilities continues to climb. Symantec reported 1,403 new vulnerabilities in the last six months of 2004, compared with 1,237 in the previous six months. And al- though patches typically are re- leased at the same time a vulnerability is disclosed, the need to test patches against network configurations makes installing them a time-consuming process. Administrators cannot depend on patches alone to provide security.

'Trying to patch those on a large government network is challenging, to say the least,' Huger said. 'You need to have defense in depth and strong technology deployed to recover after a breach occurs.'

Huger said there was little to distinguish the government networks that are monitored to produce the report. 'They looked very much like a large corporate network.'

The top attack during the last half of the year against government networks was the Microsoft Local Se-curity Authority Subsystem buffer overrun, which accounted for 12 percent of attacks. This attack is commonly associated with the Sasser worm, but versions of the Gaobot and Spybot attacks also use it.

The most commonly scanned port on government networks was User Datagram Protocol port 1434, which is used by Gaobot and Spybot.

The prevalence of these attacks, which are launched by bot or zombie networks, shows that these networks still pose serious threats.

The United States seems to be the largest single source of attacks on government networks, accounting for 32 percent of detected attacks. This probably reflects the fact that although some Asian and European nations outstrip this country in percentage of broadband connections, the United States has more Internet users than any other country.